移动应用程序的 OAuth2 流程 [英] OAuth2 flow for mobile app

问题描述

我们有一个预先存在的移动应用程序.用户将注册他的用户名和密码.目前我们有一个基于自定义令牌的身份验证.我们希望在不影响用户体验的情况下切换到 OAuth2.看起来 Resource Owner Password Credentials 对我们来说是最接近的流程，但是有很多反对使用它们的建议......任何其他建议......我们计划使用 IdentityServer4

We have a pre-existing mobile application. The user will register will his user name and password. Currently we have a custom token based authentication. We would like to switch to OAuth2 with out affecting the user experience. Looks like Resource Owner Password Credentials is most nearest flow for us , but there is a lot of recommendations against using them... Any other recommendataion... We are planning to use IdentityServer4

推荐答案

tldr;使用授权代码流 + PKCE

资源所有者密码凭据授予适用于无法转换(迁移)到完全 OAuth 客户端的客户端.此外，请注意规范严格提及与客户和最终用户的信任关系.

Resource owner password credential grant is there for clients which cannot convert(migrate) to fully OAuth client. Also, be aware that specification strictly mention about trust relationship with client and end user.

来自规范

资源所有者密码凭据授予类型适用于资源所有者与资源所有者具有信任关系的情况客户端，例如设备操作系统或高特权应用.授权服务器应特别注意以下情况启用此授权类型，并且仅在其他流量不可用时才允许可行.

The resource owner password credentials grant type is suitable in cases where the resource owner has a trust relationship with the client, such as the device operating system or a highly privileged application. The authorization server should take special care when enabling this grant type and only allow it when other flows are not viable.

所以你听到的是正确的.只有在没有选择的情况下才必须使用它.请注意，通过使用此流程，您会失去 OAuth 2.0 的本质.您将向客户端公开最终用户凭据.

So what you heard is correct. You must only use this if you are out of options. And mind you, by using this flow you loose the essence of OAuth 2.0. You will expose end user credentials to client.!

转向 OAuth 2.0

移动客户端是公共客户端.移动客户端的推荐授权是授权码授权类型.此外，由于它是一个公共客户端，您必须使用 PKCE(代码交换的证明密钥)OAuth 公共客户端).PKCE 为授权码授权类型添加了额外的保护层.

Mobile clients are public clients. Recommended grant for mobile client is authorization code grant type. Also, since its a public client you must use PKCE (Proof Key for Code Exchange by OAuth Public Clients). PKCE adds additional protection layer to authorization code grant type.

迁移到 OAuth 2.0 需要更改您的移动应用程序.您将不得不重新设计应用程序的登录功能.但是不要害怕，有很多很好的库可用于支持 PKCE 的 OAuth 2.0.IdentityServer4 也将支持这些协议.

Moving to OAuth 2.0 will need changes in your mobile application. You will have to redesign app's login functionality. But don't be afraid, there are lots of good libraries available for OAuth 2.0 with PKCE support. IdentityServer4 too will have support for these protocols.

如果您采用 OAuth 2.0，您可以无缝地更改您的授权服务器(通过一些配置).这意味着同一个应用程序可以使用来自不同授权服务器的用户.所以使用授权代码流 + PKCE

If you adopt OAuth 2.0, you get the ability to change your authorization server seamlessly (with some configurations). That mean same application can consume users from different authorization servers. So go with Authorization code flow + PKCE

这篇关于移动应用程序的 OAuth2 流程的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！